Ahead of European Parliament discussions of accusations of US
industrial espionage raised by the IC2000 report
[1],
EU countries are
moving one-by-one to liberalize their encryption laws. They aim to
inoculate the EU against the threat of organized and unaccountable
spying posed by the US-led Echelon system. This movement toward the
free export of 128-bit crypto will put further pressure on an
ever-more-isolated US policy of export control. This Nando Times article
[2] gives a good brief overview of worldwide concerns over Echelon.

(Note: turn off graphics before following
[1].
The text alone downloads 332K and the graphics add little to
the report.)

Sten Linnarsson <sten at cajal dot mbb dot ki dot se> of the
Karolinska Institute published this note to the EUcrypto mailing list.

I finally managed to confirm that the decision taken on June
23rd
[3][this link is in Swedish] to liberalize crypto
export takes the form of a general export license which allows
you to export 128-bit mass-market crypto to a list of approved
countries.

The EU is not considered "export," you can distribute any
crypto you like within it. The general license extends to
about 60 countries, including USA, most of South America,
China, Japan, Israel, Egypt, India, the Baltic states,
Russia, Indonesia, and Mexico. Absent are, among others: Serbia,
Libya, Afghanistan, Colombia, most African countries, and
some Central American countries.

"Mass-market" has the same definition as in Wassenaar (sold
in mass-market channels, accessible to the public, crypto not
modifiable, installable without support).

With Germany and France already moving, this probably means
that most EU countries will move toward free strong crypto.

The general license can be found in Tullverkets
Författningssamling TFS 1999:40, July 1st 1999.

A German technology magazine published a brief piece
[4] (in German)
stating that the German government intends to remove most of the red
tape from the export of commercial crypto products. Here is a rough
translation of the article, courtesy of TBTF Irregulars
[5] Justin
Mason <jm at netnoteinc dot com> and Mark Kraml <kraml at ibm dot
net>:

German encryption software to be freely exportable. The
Federal Republic eases the export of encoding technique.
Exporters of [crypto products], which can be qualified as
mass-market goods, will no longer need individual permits
starting September 1st for third country markets. "There
are no limits based on any specific key lengths" said
secretary of state for the economy [Siegmar Mosdorf] on Friday
in Berlin. Rather, for mass-market products a basic export
control requirement will be defined in the future, this
however is reduced to the absolute minimum necessary.

The new regulation applies to all but a few countries
worldwide, if goods are not intended for "a sensitive use as in
military work or for weapons of mass destruction."
[Exporters] must decide in the future whether their products qualify
for the exemption and maintain documentation to that effect.
There is no longer a general requirement to register.

Did Microsoft build a back door into Windows for the NSA?
I'm doubting it

By now you've heard all about the extra signing key found in
Microsoft's CryptoAPI in all Win95, 98, NT, and 2000 systems. Here's the
posting by Andrew Fernandes that started all the fuss
[6]. The BBC
has an annotated screen shot
[7] of a debugger session showing the
variable named, portentously, _NSAkey. Microsoft's official
response
[8] to the flap makes a whole lot more sense than assuming
that the National Security Agency had somehow weakened Microsoft's
crypto and tagged the fix "_NSAkey." To put a few authoritative
nails in this coffin, read the thoughts of Russ Cooper
[9],
proprietor of NTBugTraq, and of the noted cryptographer Bruce Schneier
[10].

The investigations of Fernandes (building on work last year by Nicko
van Someren and Adi Shamir) have publicized a way to disable crypto
export control in Windows. Anyone outside the US can replace _NSAkey
with their own key, and use that key to sign a crypto module of any
strength, and then use that strong crypto under the auspices of
Windows. But note that this impotence of Microsoft's CryptoAPI to
control what crypto gets run is not new news. Bruce Schneier pointed
out this Windows weakness in his CRYPTO-GRAM newsletter last April
[11], before anybody discovered the name of the replaceable second
key.

Over the weekend Brian Gladman <gladman at seven77 dot demon dot co
dot uk> posted a note
[12] to the UK Crypto list demonstrating that
the Microsoft CryptoAPI had been a serious political issue in
Britain 3-1/2 years ago. He worked with British authorities to make
sure that Microsoft UK was able to sign cryptographic modules
separately from the US authority.

The _NSAkey fiasco raises four separate issues, and little of the
commentary I've read makes much effort to disentangle them. The
issues are:

Did Microsoft collude with the NSA? (Answer: who knows?
Probably not.)

Will Microsoft's actions allow the NSA to penetrate the
computers of Windows users? (Answer: almost certainly not.)

Did the US government, represented by the NSA, work with
Microsoft to assure that only weak crypto is exportable in the
Windows framework? (Answer: absolutely.)

What will be the fallout of this tangle? Even more people will be
made aware that Microsoft security is porous. Even more people will
learn of the utter inability of US controls to stop the export of
technology which truly escaped a decade ago. And even fewer people
will believe what Microsoft says, even though in the matter of the
_NSAkey the company is probably telling the truth. A few years back
Nicholas Petreley, the IDG pundit, summed up the common perception
this way:

If you threw Microsoft into a room with truth, you'd risk a
matter / anti-matter explosion.

After the hacker group Global Hell defaced the US Army's Web site
[13] (note: link may deactivate after 1999-09-15), the Army
investigated ways to secure their Web presence. One action the service took was
to shut down their public-facing Windows NT server and replace it
with a Macintosh
[14] running the WebStar server. As one poster
noted in the Slashdot discussion
[15], one factor that renders MacOS
secure is its "quaint" (his word) native reliance on the AppleTalk
protocol over TCP/IP. An out-of-the-box Macintosh on the Net
presents no open ports through which attackers may enter, just port
80 to the Web server. Two years ago the Crack-a-Mac Challenge
[16]
survived thousands of break-in attempts over 6 weeks before
succumbing to a hole (immediately fixed) in a 3rd-party add-on to the
WebStar server.

The White House server was also cracked by Global Hell, which may
motivate this Federal Times story's claim
[17] (note: this looks like a temporary URL) that the executive
is studying how best to diversify the government's infrastructure
away from reliance on Microsoft in favor of open source systems.

Look for a marked dip in Windows sales to the US government and,
over time, to other organizations with high security needs. The
introduction of Windows 2000, with its reportedly immense learning
curve, might make a natural break-point.

Digital technology is the universal solvent of intellectual
property rights

Is it piracy to put up a page of links to music files? Tommy
Olsson is waiting to hear a Swedish court's ruling on that question
[18]. Olsson didn't create any music files, copy them, or send them
to anyone. The case is the first to go to trial of some 1000 Web
sites challenged over the last two years by the Swedish branch of
the International Federation of the Phonographic Industry, which
represents record companies. If convicted Olsson could be fined a
few hundred dollars, which is about how much he made from ads on
his Web site. But a conviction could leave him liable for damages.
Thanks to TBTF Irregular
[5] Chuck Bury <cbury at softhome dot
net> for the tipoff. And thanks, indirectly, to Tom Parmenter
<tompar at world dot std dot com> for the subtitle -- it's been
his tag line on the now-revived Desperado mailing list since the
early 1980s. (Send the message subscribe to desperado-request@world.std.com.)

In recent days I've seen two instances of the effect a runaway robot
can have on a Web site. The first was close to home: for eight days
beginning on 1999-08-27, up to a third of the bytes in my log file
were failed attempts by someone inside Microsoft's firewall to use
my site as a proxy for a content channel at real.com. This was
merely annoying and inconvenient. The second instance was potentially
more serious: a commercial Web site was discovered transferring its
costs onto an uninvolved Netizen. The current informal standard
governing how robots act on a site, the robots.txt file, is silent on
these sorts of abuses.

Log-file pollution

Someone at Microsoft was polluting my Web log file. Every minute of
every day, at 18 seconds after the minute, someone at Microsoft was
depositing the following 339-character string into my Web log
(nearly 1/2 MB per day). I've broken it into 60-character chunks for
convenience.

tide78 is one of Microsoft's gateways; traffic from such an
address means that someone at microsoft.com is calling. The 403
near the end means that my server refused the proxy request. So
this impolite behavior gained its perpetrator not a fig. TBTF's
host ISP wrote to Microsoft asking them to locate and stop this
logfile polluter, but got back only a form letter.

My guess is that someone with a channel-enabled browser (IE5?)
happened to be looking at tbtf.com when setting up a channel
request, and somehow ended up proxying the once-a-minute request
through my site.

I posted my dilemma as a Tasty Bit of the Day with the title
Please make it stop and implored any reader within Microsoft
to forward it to the IS department. Three readers wrote in with
helpful comments; one had forwarded my problem to the
appropriate Microsoft group. The barrage ceased 20 hours later.
(The power of the press belongs to him as owns one.)

Cost transfer

After I posted the above, a reader sent in the following note
that Linus Gelber <linus at panix dot com> had posted to a local list.
It is excerpted here by permission.

So I'm browsing our logs from the Home Office Records site
[19] yesterday and I note that our Gigometer page of local
concert listings is being downloaded every 15 minutes by a
certain netmind.com, which turns out to be a service that
alerts customers when web pages of their choice have been
updated.

Our stats for the first four days of September show that
netmind.com made 501 file requests from our site before we
blocked them, for a total of nearly 5 megs of transfer (it
appears that we caught them very early). Had this gone
unchecked, they would ultimately have been downloading 120 to
150 megs a month for their commercial service, for which of
course we would be footing the bill. I've written them
concerning theft of services and general inappropriate behavior.

The German publication Telepolis caught the Net's attention with
a story
[20], possibly picked up from the New Scientist
[21], about
Berkeley researchers and their smart dust
[22]. The 5-mm devices
they have constructed can sense local conditions and communicate
using beams of light. Though the devices are far too large to be
called "dust" -- what they are is Micro Electro-Mechanical Systems,
or MEMS -- Slashdot was alive with speculation about invisible FBI
bugs wafting in the open window. One poster quipped:

Hey, I can see a nice combination of borderline schizophrenia
and obsessive-compulsive behaviour emerging here:
keep cleaning everything because the FBI may be spying on
you.

Research leading even deeper into Neal Stephenson territory
[23] is
being carried out at Boston College. Scientists there have
constructed the beginnings of a motor using just 78 atoms[24]. It is powered
by ATP, the molecule that your mitochondria and mine use to power
cells. The same issue of Nature that carried news of the BBC
nano-scale motor also reported on another molecular motor constructed by
German, Dutch, and Japanese scientists
[25]. This one runs on light.

The center of our galaxy contains, scientists assume, a black hole
several million times as massive as our own sun. Such an object
makes conditions highly interesting for light-years around. Now a
pair of physicists have calculated
[26] how the (putative) black
hole would affect the (putative) halo of "dark" matter in its
vicinity. They suggest the black hole would sculpt any dark matter
into a dense spike where particle interactions would be more
frequent. If hypothetical particles called neutralinos (you read that
right) make up the bulk of the dark matter, as a leading hypothesis
supposes, they would self-annihilate like crazy. The neutralino is
its own antiparticle, you see. I am not making this up. The
annihilations would produce, in addition to the expected gamma rays
[27], a soup of energetic particles including neutrinos, which
would be most useful for probing the galactic core. These neutrinos
could be detected in tiny numbers by vast "telescopes" composed of
thousands of gallons of purified water or perhaps dry-cleaning
fluid.

Three weeks before last month's solar eclipse, Mark Gingrich <grinch
at rahul dot net> posted a request to several astronomy newsgroups.
Gingrich knew that many central European churches and cathedrals are
set up as giant pinhole cameras -- they feature a tiny hole in the
dome or cupola and an inscribed meridian line somewhere inside. When
the sun's projected image crosses the "noon mark," it's noon local
time. The most famous such arrangement was designed 350 years ago
by the astronomer Gian Domenico Cassini for the Church of San
Petronio in Bologna, Italy. Gingrich asked for photos of the partially
eclipsed sun as it crossed the meridian lines in these historical
scientific instruments. Gingrich's request bore fruit and Franco
Martinelli has put up this page
[28] with the results. Many thanks
to TBTF Irregular
[5] Mary Ellen Zurko for the pointer.

Rebecca Eisenberg, net.skink[29] and one of the top 25 women on the
Web
[30], wrote up her advice
[31] to public relations specialists in
the Internet industry. It is squarely on target.

If you send in paper what obviously should have been sent in
email, I assume that you don't understand your own product.
Then why would I ever take your word for anything? Have you
ever been on line? Here's how it works: you send a message,
it reaches me without bothering me, and I click on the URLs
you include.

I had occasion last week to refer a PR person to this page. Oddly,
she never did get back in touch to thank me.

Note added 2000-09-10: Found an independent
page [31a] by a Dutch
journalist offering much the same advice.